I don't know what surprises me the most, the vulnerability itself, being that easy to explore, or how long it was unknown by the industry and community
It happens, been in the industry for 10ish years now and this is one of many i've had to deal with for massive companies. This isn't even the worst one lol, but is more wide spread.
What's scary is that this RCE is so incredibly easy to do, and it's attacking something that is so widely used, you just know people had to have been using it for years without people knowing it! This kind of RCE is literally a once in a decade kind of find. Log4J is ran on so many things, it is impossible that they will all get patched, so this RCE will be valid for a long time to come.
There have been three other extremely dangerous but less-publicized vulnerabilities that are similar on a somewhat less ubiquitous piece of software. I get the feeling “once in a decade” is quickly going to turn into “once every six months” then “once in a quarter”
Right there with you. Tired of seeing this vuln. Work in a SOC and over it already. Reminds me of when I first started when its was all about WannaCry.
Luckily only had one application running it with no ability to access input without being an authorize user with certificate credentials...regardless, was not too bad of a fix for having to deal with only one instance. Feel for ya though keep at it.
Easy * every single vulnerable service, app, Network infra, server.... If your a big company your IT teams have been tired this week and next patching as fast as the patches get announced and released.
Im jealous you guys have to fight this! Everyone is like “man this sucks” but I’m like “man I wish I had to deal with this” lol hope thats me someday :)
So much this. An aspect which seems to be always forgotten among all that Log4J/Java-Rants. This exploit is basically a lackmus-test for all that infrastructure people with all their shiny 'DevOps'-tools. If everyone did their homework, this is nothing else like every other exploit.
The request is made by an java application, most likely pass through firewall. By the way, you don't have to use ldap, you can choose another jndi lookup method.
Easy to do in the lab, much harder in practise. Essentially you need a very weak target system.. that said there are probably plenty of those out there...
ldap isn't required, and it's funny that he describes it as he does. Ldap is an authentication server, it's not to "send data" anywhere. Log4j simply logs incoming data, and the string escapes out of the "log this sanitized string" logic and ends up instead being executed. This sort of thing is actually pretty common.
I am curious what other triggers/codes are needed for this Ghidra server to be vulnerable. I notice that Qualys only marks log4j-core and log4j-api libraries; if a deployment only includes plain jar of log4j, Qualys will ignore it no matter the version.
I dont know how to thank you for this explanation, it was really hard to get what's going on, mostly on work where everyone is freaking out with this, now i have a more realistic understanding of the dangers of this CVE... Thanks a lot!
nice video demo Alex. It would be cool if a line or two would be dedicated to see what shows up in the logfile (assuming that your logfile will not be destroyed by the Exploit) detecting this in the logile is not so straightforward(depending on the application)
Great and timely video! I'm seeing a lot of problems relating to the updates today...... More accurately the same problem with the same update from different users.
What is the user mode in the remote process that executes the payload? I'm guessing it depends on the server and how the devs of that particular host app decided to implement Log4j? **To anybody who has ever noticed that the Linux norm of giving every context/app/process the weakest file mode (i.e. the 3 digit number you pass to chmod) that it could possibly get away with, and thought to themselves "...but is it really all that necessary?"** NOW YOU KNOW.
if the devs want to continue using log4j v2.15+ disables the ability to run remote queries by default and just logs data unless you turn it back on...most apps though are just switch away from log4j core files. The only log4j files this effects are v2.0-2.14...had to do some research yesterday to harden a few things at work.
thank you so much alex this topic is my project and my gatepass to be part of cyber security team, im suppose to report and replicate log4j attack but no luck in replicating using the minecraft but this definitely is the easiest and safest way. thank you you just save my career. God bless
Someone correct me if I'm wrong, but this only works if you know the location of the JNDI server the application is using AND you know that the application logs arbitrary user input?
If you know the application is using Log4j for logging, the server is your server where you store the malicious code and the path to the server is forwarded to the application as an argument using JNDI
Interesting. So in a real life situation against say a website server. You would need to set up port forwarding and use public ip instead of local? Or does this only work locally?
Some servers/environments allow a server to send queries through Internet. (Not advisable. But then, why log4j wants to implement query AND execution is beyond me. Why can't it just humbly log messages onto the disk?)
Having worked with Java engineers for more than two decades, part of me wants to giggle duh, but part of me still hurts. Server-side Java is here to stay no matter what. Sometimes I continue to hope that they - especially pure-play open source like Apache, can pick up the Unix principle of "do one thing, and do one thing well."
Hello, I am trying to work on this but I never get the reverse shell, any idea? Never creates the connection back... any help would be highly appreciate it.
I broke the Java sandbox in a browser almost 20 years ago and barely knew what I was doing. I wanted access to the file system to read and write files and managed to do it by spawning a new thread which called back into the main process. Which somehow broke the sandbox security. Wonder how many other simple exploits are in the wild today.
I bet this loophole was in use for a long long period of time and your personal information has been exposed to the bad guys. Just imagine your personal data, bank information, your internet activities, and etc.
Pfff, been scanning multiple applications all week to check for this. Luckily non have public endpoints but still, I don't want to rely on other measures to be safe, and which I'm not the owner of.
@@buckduff6003 hahaha yeah but actually bro, i spoke to someone with 10+ years of experience and was informed that ghidra actually runs on a local system... Ghidra description on their website is just confusing...
Scary thing is you can just literally execute ransom ware just with java through a old version of minecraft java addition tbh isn’t log4j made out of java
China gov just punished Alibaba team reporting this vulnerability to Apache without its approval. All the opensources will face more stress on protect their integrity.
*Why would a login form execute code* ? Unless it is 'not a bug, but a feature', _intended_ for that exact purpose of providing a comfortable *'backdoor'* to sensible user information, expecting the widespread integration of the shell in servers around the globe.
@@danishnafis4985 "(...) *logging* the user input _directly_ (...)" Thanks for reply. Still, an user input form that acts de facto like a commandline doesn't look random, even if it is the effect of linking some other library or program for logging - what's the purpose of *_logging user input_* , anyway - if a form is either filled with _a proper input_ or otherwise it would simply trigger no reaction ?... It's like writing most simple code, but _design_ other functions than just to 'echo' or 'print' inputs unto the screen - is it not ? (one would have to look into the respective source code)... I assume the _abstraction_ level of cross-platform JAVA plays into that kind of obscurantism.
If I understand this well, then it's actually not possible to hack a decent Web application. You can do this just on your laptop or on applications that have ZERO security measures. Could anyone explain how would you exploit a Java application that does not have an LDAP with malware on the same server where the application is running and if the application is running in a private subnet, behind firewalls or security groups? If my firewall/security group/NACL doesn't allow any outbound connection from the application to the Internet, then you can't really connect to anywhere using this hack and you can't install any malicious software on my server. I don't understand what kind of important applications are deployed on a Public network, with all outbound traffic to all ports and protocols allowed, and preferably the application is a full stack one. If your application is like that, if it is not secured at all, then log4j is your least problem actually. You have much bigger vulnerabilities then... I don't get this global panic about log4j... Or is it that I didn't get it at all? :)
I agree. i have yet to see a local window attack that running Java get an RCE. I think all this hype is for Minecraft. maybe a new game is going to be released soon. all these videos ppl post are just impractical in the real world or on a LAN where Java runs on everyone's laptop/PC. show that stuff. not this minecraft server crap.
Possibly , only possible mind you ,you may need to see a doctor. you appear to have swelling at the base of your neck. Probably not a serious thing but maybe get it checked anyway. Could just be a camera angle thing.
@@Bm23CC yeah also it's educational double edged sword teaches people to know what to look out for and learn their enemy better and teaches one person another trick they can use as a black hat
I don't know what surprises me the most, the vulnerability itself, being that easy to explore, or how long it was unknown by the industry and community
Yes.
This is what happens when frameworks add pointless features that nobody, apart from hackers, uses
@UCiuMGUP-oDMz4lYat6Jh8ZQ I truly hope it was a brilliant hacker to turn a logging system into a widespread telnet
But it is free software library under the Apache license which can be modified
It happens, been in the industry for 10ish years now and this is one of many i've had to deal with for massive companies. This isn't even the worst one lol, but is more wide spread.
What's scary is that this RCE is so incredibly easy to do, and it's attacking something that is so widely used, you just know people had to have been using it for years without people knowing it! This kind of RCE is literally a once in a decade kind of find. Log4J is ran on so many things, it is impossible that they will all get patched, so this RCE will be valid for a long time to come.
There have been three other extremely dangerous but less-publicized vulnerabilities that are similar on a somewhat less ubiquitous piece of software. I get the feeling “once in a decade” is quickly going to turn into “once every six months” then “once in a quarter”
Been dealing with this all week at work. Its an easy enough fix but its just a pita to do all of em manually till they patch it in software
Right there with you. Tired of seeing this vuln. Work in a SOC and over it already. Reminds me of when I first started when its was all about WannaCry.
Honestly, this week was filled with frustration and copious amounts of caffeine.
Luckily only had one application running it with no ability to access input without being an authorize user with certificate credentials...regardless, was not too bad of a fix for having to deal with only one instance. Feel for ya though keep at it.
Easy * every single vulnerable service, app, Network infra, server.... If your a big company your IT teams have been tired this week and next patching as fast as the patches get announced and released.
Im jealous you guys have to fight this! Everyone is like “man this sucks” but I’m like “man I wish I had to deal with this” lol hope thats me someday :)
“It ain’t gonna be that easy”
*“It’s that easy.”*
I could be mistaken but this looks like Oracle, who makes Java, failed to do input validation. Which is supposed to be a kind of security standard.
What companies allow access to unknown LDAP/LDAPS servers through their firewalls? This is the biggest security risk.
So much this. An aspect which seems to be always forgotten among all that Log4J/Java-Rants.
This exploit is basically a lackmus-test for all that infrastructure people with all their shiny 'DevOps'-tools.
If everyone did their homework, this is nothing else like every other exploit.
The request is made by an java application, most likely pass through firewall. By the way, you don't have to use ldap, you can choose another jndi lookup method.
So you're telling me log4j downloads unknown code from any LDAP server and executes it... why would they do that ?!
So it can log the result, still pretty dumb though
Easy to do in the lab, much harder in practise. Essentially you need a very weak target system.. that said there are probably plenty of those out there...
ldap isn't required, and it's funny that he describes it as he does. Ldap is an authentication server, it's not to "send data" anywhere. Log4j simply logs incoming data, and the string escapes out of the "log this sanitized string" logic and ends up instead being executed. This sort of thing is actually pretty common.
That was an amazing easy to follow up video. Congrats!
I can't wait to explore this in my own home lab. It's insane how easy this exploit is and how prevalent this vulnerable application is.
'home lab' :P
At the zoom in, Lynd should have said "because crimes are illegal" and wink with that "ding" sound you hear when the answer is right.
Nooo! but yes! but Nooo! He was trying not to laugh.
I am curious what other triggers/codes are needed for this Ghidra server to be vulnerable. I notice that Qualys only marks log4j-core and log4j-api libraries; if a deployment only includes plain jar of log4j, Qualys will ignore it no matter the version.
Why is the jdk not in the repo?
Is there any writeups that you can share regrading Log4j Vulnerability?
I dont know how to thank you for this explanation, it was really hard to get what's going on, mostly on work where everyone is freaking out with this, now i have a more realistic understanding of the dangers of this CVE...
Thanks a lot!
Really strange design decision for a logger, it must be a well-designed backdoor.
the feature request dates back to July 2013. Live overflow talked about it
It's java, so it's definitely a feature
@@gg-gn3re It depends on how you look at it
@@LabGecko I was joking too. If you're a hacker, it's definitely a feature.
Ghidra is not loading. Producing a JRE not found error. Any ideas? Have even placed JRE into the Ghidra folder.
nice video demo Alex. It would be cool if a line or two would be dedicated to see what shows up in the logfile (assuming that your logfile will not be destroyed by the Exploit)
detecting this in the logile is not so straightforward(depending on the application)
Great and timely video! I'm seeing a lot of problems relating to the updates today...... More accurately the same problem with the same update from different users.
Timely post!!
I like the last statement. “Crimes are illegal” 😛
Great tutorial Alex! The volume of vlog sounded a little low though.
What is the user mode in the remote process that executes the payload? I'm guessing it depends on the server and how the devs of that particular host app decided to implement Log4j?
**To anybody who has ever noticed that the Linux norm of giving every context/app/process the weakest file mode (i.e. the 3 digit number you pass to chmod) that it could possibly get away with, and thought to themselves "...but is it really all that necessary?"** NOW YOU KNOW.
Can you still do any of this without LDAP installed? Is that installed by default and always on? If it is not installed woudl I still be vulnrable?
what human put that code in github?
Don't know how many similar vulnerabilities still exists but undiscovered by majority..
How to find the target java version someone?
What are prevention action to be taken in network n security?
if the devs want to continue using log4j v2.15+ disables the ability to run remote queries by default and just logs data unless you turn it back on...most apps though are just switch away from log4j core files. The only log4j files this effects are v2.0-2.14...had to do some research yesterday to harden a few things at work.
thank you so much alex this topic is my project and my gatepass to be part of cyber security team, im suppose to report and replicate log4j attack but no luck in replicating using the minecraft but this definitely is the easiest and safest way. thank you you just save my career. God bless
Someone correct me if I'm wrong, but this only works if you know the location of the JNDI server the application is using AND you know that the application logs arbitrary user input?
If you know the application is using Log4j for logging, the server is your server where you store the malicious code and the path to the server is forwarded to the application as an argument using JNDI
Interesting. So in a real life situation against say a website server. You would need to set up port forwarding and use public ip instead of local? Or does this only work locally?
Some servers/environments allow a server to send queries through Internet. (Not advisable. But then, why log4j wants to implement query AND execution is beyond me. Why can't it just humbly log messages onto the disk?)
@@YuanLiuTheDoc cuz java duh
Having worked with Java engineers for more than two decades, part of me wants to giggle duh, but part of me still hurts. Server-side Java is here to stay no matter what. Sometimes I continue to hope that they - especially pure-play open source like Apache, can pick up the Unix principle of "do one thing, and do one thing well."
Cant get this to work on my current java version 11, it wants 1.8... i forgot how much java sucks! Haven't used it since university.
I am in the same situation, did you finally succeed to reproduce this POC ?
Would be nice is you actually showed you using the reverse shell and executing commands.
dude .... its a shell... you just run any commands... figure it out
Hello, I am trying to work on this but I never get the reverse shell, any idea? Never creates the connection back... any help would be highly appreciate it.
The script is updated and doesn't work anymore with ghidra (I think). Check my video, maybe it can help u.
@@Roelox do you have a new video? Is it possible to post in your blog the version that you used in the video? Thank you very much in advance
@@guidoms7 What do you mean by "version"? U can just follow the steps in the video and it should work. The link of github and java are in description.
@@Roelox yeah I tried, but it did not work, it does not connect to nc, it is to create a demo for a local group but in Spanish
@@guidoms7 U got Discord?
Don't you just love when a feature turns into a deadly bug? Feature creep at it's finest!
When I cloned the repository it didn't give me the jdk 1.8.0_20 folder and I'm having a hard time finding it outside.
Same
Go to the repository. It's all linked there
Enjoyed the table slap!
Works fine when everything is on same vm..., not so much when you split it across 2. The exploit is trivial to attempt, but quite tricky to pull off.
The background music is loud, please avoid using it or lower the volume at least. Other than that, its an awesome video!
if your app runs inside a kubernetes pod, does that app suffer from this kind of attack?
I would search up all your core files to look for any log4j-core files...if they are there and v2.0-2.14 then yes you are vulnerable to attack.
One more point is if your application logging the user input directly then yes you are vulnerable to attack
I broke the Java sandbox in a browser almost 20 years ago and barely knew what I was doing. I wanted access to the file system to read and write files and managed to do it by spawning a new thread which called back into the main process. Which somehow broke the sandbox security. Wonder how many other simple exploits are in the wild today.
there were no sandboxed browsers & applets back then so no you didn't.
Can’t we do it on windows??
I bet this loophole was in use for a long long period of time and your personal information has been exposed to the bad guys. Just imagine your personal data, bank information, your internet activities, and etc.
great video, audio output is low
needed this video cause the hack the box walkthrough for Archetype was too big brain to understand well
Pfff, been scanning multiple applications all week to check for this. Luckily non have public endpoints but still, I don't want to rely on other measures to be safe, and which I'm not the owner of.
It’s a lot to deal with, getting to everyone before the holidays.
Great explanation. Good video. Spidey approves
I do not think ghidra is a local hosted server. I have been reading up on it and it is a public server.. almost executed the vuln on it...
dang my guy almost got 5 stars hacking the NSA
@@buckduff6003 hahaha yeah but actually bro, i spoke to someone with 10+ years of experience and was informed that ghidra actually runs on a local system... Ghidra description on their website is just confusing...
Scary thing is you can just literally execute ransom ware just with java through a old version of minecraft java addition tbh isn’t log4j made out of java
The thing is many rce might be out there hackers are using and its still not knows to the mnc
China gov just punished Alibaba team reporting this vulnerability to Apache without its approval. All the opensources will face more stress on protect their integrity.
*Why would a login form execute code* ?
Unless it is 'not a bug, but a feature', _intended_ for that exact purpose of providing a comfortable *'backdoor'* to sensible user information, expecting the widespread integration of the shell in servers around the globe.
This vulnerability only affect those application which are logging the user input directly
@@danishnafis4985
"(...) *logging* the user input _directly_ (...)"
Thanks for reply.
Still, an user input form that acts de facto like a commandline doesn't look random, even if it is the effect of linking some other library or program for logging - what's the purpose of *_logging user input_* , anyway - if a form is either filled with _a proper input_ or otherwise it would simply trigger no reaction ?...
It's like writing most simple code, but _design_ other functions than just to 'echo' or 'print' inputs unto the screen - is it not ? (one would have to look into the respective source code)...
I assume the _abstraction_ level of cross-platform JAVA plays into that kind of obscurantism.
Are "we going to ahead and"....
Shots everytime he says it
this is actually easy to have survived this long
name allready say why is it there. why log and let log run code what is was login. lol. i not get it
Great video!
Thank you so much for this!
If I understand this well, then it's actually not possible to hack a decent Web application. You can do this just on your laptop or on applications that have ZERO security measures.
Could anyone explain how would you exploit a Java application that does not have an LDAP with malware on the same server where the application is running and if the application is running in a private subnet, behind firewalls or security groups?
If my firewall/security group/NACL doesn't allow any outbound connection from the application to the Internet, then you can't really connect to anywhere using this hack and you can't install any malicious software on my server.
I don't understand what kind of important applications are deployed on a Public network, with all outbound traffic to all ports and protocols allowed, and preferably the application is a full stack one. If your application is like that, if it is not secured at all, then log4j is your least problem actually. You have much bigger vulnerabilities then... I don't get this global panic about log4j... Or is it that I didn't get it at all? :)
I agree. i have yet to see a local window attack that running Java get an RCE. I think all this hype is for Minecraft. maybe a new game is going to be released soon. all these videos ppl post are just impractical in the real world or on a LAN where Java runs on everyone's laptop/PC. show that stuff. not this minecraft server crap.
@@shibbyshaggy caves, cliffs, and log4j
He please can you give my few question answer
Solid work!
Time to don the Grey Hat
Good vid.
Thank you
Its not illigal if you don't get cought
Hehe, I think it's funny that you're using Ghidra to demo this and it's also vulnerable to Log4Shell :-)
That is the S from SOLID
Please reply fast I have a presentation and I chose this
Buck's here, what are we doing cowboy
@@buckduff6003 lol
Is this beyond the average cyber security graduate
Awesome!
Time to hack the Mars rover
Why dont TH-cam take down your videos afterall you make very advanced hacking videos? :o
When i have that design in my computer... Im going to jail even i dont hackk
i just wana say thankyou
This is too easy.
ill use this for good
if i can
Reverse engineering at its best. Good video.
Making reserved words in chat a simple cure?!
I feel like I want to test this on some android phone
Not smart lol
Pegasus hacking video bro
You know Pegasus isn't just available right? That's restricted stuff.
@@Rick-jf2ig oh well i'm sure you can find it somewhere i know the malware zoo atleast has a sample of it and the apk
I wish someone would hit area 51 with this :p
I Luv Hak5
Killing is bad and wrong. There should be a new word. Killing is Badong
5:41
learn java they said... whyyyyy?
im patched /o/
That's interesting
I abused the Information in This video to her acces to many Systems
Nice
👍🏻🗡️
ahahaha...epic ending
LET'S SEE THE BOIS 🦶🦶👁👄👁
Possibly , only possible mind you ,you may need to see a doctor. you appear to have swelling at the base of your neck. Probably not a serious thing but maybe get it checked anyway. Could just be a camera angle thing.
Are you a doctor?
good thing nothing uses java
wow, script kiddies got Christmas early.
Wow
Pashmam
Why dont TH-cam take down your videos afterall you make very advanced hacking videos?
I wouldnt consider this advanced.
@@Bm23CC yeah also it's educational double edged sword teaches people to know what to look out for and learn their enemy better and teaches one person another trick they can use as a black hat
Let's hack the Mars Rover
\o/
first